Re: [pve-devel] pve-firewall : iptables V2

Stefan Priebe Thu, 13 Feb 2014 11:45:52 -0800


Am 13.02.2014 17:26, schrieb Alexandre DERUMIER:

Hi Stefan,
thanks for the report.


I don't use iptables to save config
(I'm using iptables-restore to commit the whole ruleset)

But i'm using iptables to check if a rules,chain already exist for example.

Do you known if the problem occur on read only ?


only write / change

(I don't have read yet all the bug reports, I'll do it tomorrow)


----- Mail original -----

De: "Stefan Priebe - Profihost AG" <[email protected]>
À: "Alexandre DERUMIER" <[email protected]>, [email protected]
Envoyé: Jeudi 13 Février 2014 11:33:59
Objet: Re: [pve-devel] pve-firewall : iptables V2

Hi Alexandre,

i see the following Problem regarding the basic IP Tables
implementation. The iptables binary is not "thread" safe / can't be run
in parallel. It then exits with exit code 4 and you see a kernel message
Ressource temporarly unavailable.

This means you have to check each iptables command for exit code 4 and
have to reexecute it in that case.

Examples / Bug Reports:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712691

http://lists.netfilter.org/pipermail/netfilter-devel/2006-June/024640.html

http://www.redhat.com/archives/libvir-list/2012-March/msg00746.html

and many more...

Stefan
Am 13.02.2014 05:57, schrieb Alexandre DERUMIER:

any comments for theses patches ?


----- Mail original -----

De: "Alexandre Derumier" <[email protected]>
À: [email protected]
Envoyé: Vendredi 7 Février 2014 16:22:26
Objet: [pve-devel] pve-firewall : iptables V2

changelog:

add support for host firewall and group rules.
It's use iptables-restore now, so rules are applied atomicaly

Also, I don't use anymore return in inbound rule, but directly jump in outbound 
rules, so less rules lookup

FORWARD chains lists are

FORWARD--->proxmoxfw-FORWARD
----> BRIDGEFW-OUT
--->VMBRX-OUT
------->TAPXX-OUT
--->ACCEPT(==JUMP VMBRX-IN)
--->GROUP-xxx-OUT
--->ACCEPT(==JUMP BRIDGEFW-IN)
---->BRIDGEFW-IN
---->VMBRX-IN
------->TAPXX-IN
---->ACCEPT
---->GROUP-xxx-IN
----->ACCEPT


Please test :)
(config files sample for host,group,vm firewall are in commits)

_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] pve-firewall : iptables V2

Reply via email to